@@ -7,8 +7,9 @@

   * udptunnel-vpn-config.m4 allows global file to override as intended.
   * www-cgi passes HTTP_COOKIE header.
   * indirect ssh via V_sshinvoke.
+  * userv-ipif config file allows exclusions in network permissions.

- --
+ -- Ian Jackson <ian@davenant.greenend.org.uk>  Sat, 15 Dec 2001 17:55:06 +0000

 userv-utils (0.2.1) unstable; urgency=low

1 files changed, 111 insertions, 37 deletions

diff --git a/ipif/service.c b/ipif/service.c
index 4137794..3a59b2b 100644
--- a/ipif/service.c
+++ b/ipif/service.c
@@ -59,7 +59,7 @@
  *      Reads a file which contains lines which are each <config>
  *      items.
  *
- *   <gid>,[=]<prefix>/<len>[,<junk>]
+ *   <gid>,[=][-|+]<prefix>/<len>(-|+<prefix>/<len>...)[,<junk>]
  *
  *      Indicates that <gid> may allocate addresses in the relevant address
  *      range (<junk> is ignored).  <gid> must be numeric.  To specify a
@@ -67,6 +67,13 @@
  *      specified then the specific subrange is only allowed for the local
  *      endpoint address, but not for remote addresses.
  *
+ *      More than one range may be given, with each range prefixed
+ *      by + or -.  In this case each address range in the rule will
+ *      scanned in order, and the first range in the rule that matches
+ *      any desired rule will count: if that first matching range is
+ *      prefixed by `+' (or nothing) then the rule applies, if it
+ *      is prefixed by `-' (or nothing matches), the rule does not.
+ *
  *   *
  *      Means that anything is to be permitted.  This should not appear in
  *      /etc/userv/ipif-networks, as that would permit any user on the
@@ -128,11 +135,12 @@ static const int signals[]= { SIGHUP, SIGINT, SIGTERM, 0 };
 
 static const char *configstr, *proto;
 static unsigned long localaddr, peeraddr, mtu;
+static int localpming, peerpming;
 static int localallow, peerallow, allallow;
 static int nexroutes;
 static struct exroute {
   unsigned long prefix, mask;
-  int allow;
+  int allow, pming;
   char prefixtxt[ATXTLEN], masktxt[ATXTLEN];
 } exroutes[MAXEXROUTES];
 
@@ -290,12 +298,17 @@ static unsigned long eat_number(const char **argp, const char *what,
   return rv;
 }
 
-static void addrnet_mustdiffer(const char *w1, unsigned long p1, unsigned long m1,
-			       const char *w2, unsigned long p2, unsigned long m2) {
+static int addrnet_overlap(unsigned long p1, unsigned long m1,
+			   unsigned long p2, unsigned long m2) {
   unsigned long mask;
 
   mask= m1&m2;
-  if ((p1 & mask) != (p2 & mask)) return;
+  return (p1 & mask) == (p2 & mask);
+}
+
+static void addrnet_mustdiffer(const char *w1, unsigned long p1, unsigned long m1,
+			       const char *w2, unsigned long p2, unsigned long m2) {
+  if (!addrnet_overlap(p1,m1,p2,m2)) return;
   badusage("%s %08lx/%08lx overlaps/clashes with %s %08lx/%08lx",
 	   w1,p1,m1, w2,p2,m2);
 }
@@ -341,35 +354,66 @@ static int addrnet_isin(unsigned long prefix, unsigned long mask,
 			unsigned long mprefix, unsigned long mmask) {
   return  !(~mask & mmask)  &&  (prefix & mmask) == mprefix;
 }
+
+/* Totally hideous algorithm for parsing the config file lines.
+ * For each config file line, we first see if its gid applies.  If not
+ * we skip it.  Otherwise, we do
+ *  permit_begin
+ *     which sets <foo>pming to 1
+ * for each range.  <foo>pming may be 0 if we've determined that
+ * this line does not apply to <foo>.
+ *  permit_range
+ *     which calls permit_range_thing for each <foo>
+ *        which checks to see if <foo> is inside the relevant
+ *        range (for +) or overlaps it (for -) and updates
+ *        <foo>allow and <foo>pming.
+ */
+
+static void permit_begin(void) {
+  int i;
   
+  localpming= peerpming= 1;
+  for (i=0; i<nexroutes; i++) exroutes[i].pming= 1;
+}
+
+static void permit_range_thing(unsigned long tprefix, unsigned long tmask,
+			       const char *what, int *tallow, int *tpming,
+			       unsigned long pprefix, unsigned long pmask,
+			       int plus, int *any) {
+  if (plus) {
+    if (!addrnet_isin(tprefix,tmask, pprefix,pmask)) return;
+    if (*tpming) *tallow= 1;
+  } else {
+    if (!addrnet_overlap(tprefix,tmask, pprefix,pmask)) return;
+    *tpming= 0;
+  }
+  if (!proto) printf(" %c%s", plus?'+':'-', what);
+  *any= 1;
+}
 
-static void permit(unsigned long pprefix, unsigned long pmask, int localonly) {
+static void permit_range(unsigned long prefix, unsigned long mask,
+			 int plus, int localonly) {
   int i, any;
+  char idbuf[40];
   
-  assert(!(pprefix & ~pmask));
+  assert(!(prefix & ~mask));
   any= 0;
 
-  if (!proto) fputs(localonly ? "permits-l" : "permits",stdout);
-  if (addrnet_isin(localaddr,~0UL, pprefix,pmask)) {
-    if (!proto) fputs(" local-addr",stdout);
-    any= localallow= 1;
-  }
+  permit_range_thing(localaddr,~0UL,"local", &localallow,&localpming,
+		     prefix,mask, plus,&any);
+
   if (!localonly) {
-    if (addrnet_isin(peeraddr,~0UL, pprefix,pmask)) {
-      if (!proto) fputs(" peer-addr",stdout);
-      any= peerallow= 1;
-    }
+    permit_range_thing(peeraddr,~0UL, "peer-addr", &peerallow,&peerpming,
+		       prefix,mask, plus,&any);
     for (i=0; i<nexroutes; i++) {
-      if (addrnet_isin(exroutes[i].prefix,exroutes[i].mask, pprefix,pmask)) {
-	if (!proto) printf(" route#%d",i);
-	any= exroutes[i].allow= 1;
-      }
+      sprintf(idbuf,"route#%d",i);
+      permit_range_thing(exroutes[i].prefix,exroutes[i].mask, idbuf,
+			 &exroutes[i].allow,&exroutes[i].pming,
+			 prefix,mask, plus,&any);
     }
   }
-  if (!proto) {
+  if (!proto)
     if (!any) fputs(" nothing",stdout);
-    putchar('\n');
-  }
 }
 
 static void pconfig(const char *configstr, int truncated);
@@ -421,14 +465,15 @@ static void pfile(const char *filename) {
 
 static void pconfig(const char *configstr, int truncated) {
   unsigned long fgid, tgid, pprefix, pmask;
-  int plen, localonly;
+  int plen, localonly, plus, rangeix, delim;
   char ptxt[ATXTLEN];
+  char whattxt[100];
   const char *gidlist;
   
   switch (configstr[0]) {
   case '*':
-    if (strcmp(configstr,"*")) badusage("`*' directive must be only thing on line");
-    permit(0UL,0UL,0);
+    permit_begin();
+    permit_range(0UL,0UL,1,0);
     return;
     
   case '#':
@@ -444,28 +489,57 @@ static void pconfig(const char *configstr, int truncated) {
       badusage("unknown configuration directive");
     
     fgid= eat_number(&configstr,"gid", 0,gidmaxval, ",",0);
-    if (configstr[0] == '=') {
-      localonly= 1;
-      configstr++;
-    } else {
-      localonly= 0;
-    }
-    eat_prefixmask(&configstr,"permitted-prefix", ",",0, &pprefix,&pmask,&plen);
-    if (!configstr && truncated) badusage("gid,prefix/len,... spec too long");
 
-    if (!proto) printf(" %5lu,%s/%d: ", fgid, ip2txt(pprefix,ptxt), plen);
+    if (!proto) printf(" %5lu", fgid);
 
     gidlist= getenv("USERV_GID");
     if (!gidlist) fatal("USERV_GID not set");
     for (;;) {
       if (!gidlist) {
-	if (!proto) printf("no matching gid\n");
+	if (!proto) printf(" no matching gid\n");
 	return;
       }
       tgid= eat_number(&gidlist,"userv-gid", 0,gidmaxval, " ",0);
       if (tgid == fgid) break;
     }
-    permit(pprefix,pmask,localonly);
+
+    if (configstr[0] == '=') {
+      localonly= 1;
+      configstr++;
+    } else {
+      localonly= 0;
+    }
+
+    permit_begin();
+
+    rangeix= 0;
+    plus= 1;
+    switch (configstr[0]) {
+    case '-': plus= 0;     /* fall through */
+    case '+': configstr++;
+    default:;
+    }
+
+    for (;;) {
+      sprintf(whattxt, "%s-prefix#%d",
+	      plus ? "permitted" : "notpermitted",
+	      rangeix);
+      eat_prefixmask(&configstr,whattxt, ",+-",&delim,
+		     &pprefix,&pmask,&plen);
+      if (!configstr && truncated)
+	badusage("gid,prefix/len,... spec too long");
+
+      if (!proto)
+	printf("  %c%s/%d:", plus?'+':'-',ip2txt(pprefix,ptxt), plen);
+
+      permit_range(pprefix,pmask,plus,localonly);
+      if (delim==',') break;
+
+      plus= delim=='-' ? 0 : 1;
+      rangeix++;
+    }
+
+    putchar('\n');
     return;
   }
 }